Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 1983] New: Editcap crash during fuzztest

Date: Tue, 13 Nov 2007 14:50:08 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1983

           Summary: Editcap crash during fuzztest
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Extras
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: florent.drouin@xxxxxxxxxx


Build Information:
~/wireshark_TRUNK23440$ ./wireshark -v 
wireshark 0.99.7

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.6.4, with GLib 2.6.4, with libpcap 0.9-PRE-CVS, with libz
1.2.2, with libpcre 4.5, without SMI, with ADNS, without Lua, with GnuTLS
1.0.16, with Gcrypt 1.2.0, with Heimdal Kerberos, without PortAudio, without
AirPcap.

Running on Linux 2.6.15.7, with libpcap version 0.9-PRE-CVS.

Built using gcc 3.3.5 (Debian 1:3.3.5-13).

--
During fuzztesting of ERF files, there is a crash with editcap:
<<
Starting pass 9:
    /home/endace/Traces/Endace/eth.erf: ./tools/fuzz-test.sh: line 153: 11903
Segmentation fault      (core dumped) "$EDITCAP" -E $ERR_PROB "$CF"
$TMP_DIR/$TMP_FILE >/dev/null 2>&1
./tools/fuzz-test.sh: line 153: 11916 Aborted                 (core dumped)
"$EDITCAP" -E $ERR_PROB -T ether "$CF" $TMP_DIR/$TMP_FILE >/dev/null 2>&1
Invalid format for editcap
>>

The reason of the crash is the size of the buffer allocated for the record to
dump. On the ERF file, the size of the record is 1518 bytes, and the size of
the frame_buffer is hardcoded in file_access.c to 1500 bytes.


<<
wtap* wtap_open_offline(const char *filename, int *err, char **err_info,
    gboolean do_random)
../..
success:
        wth->frame_buffer = g_malloc(sizeof(struct Buffer));
        buffer_init(wth->frame_buffer, 1500);  <=== here
        return wth;
}
>>

I do not find the mechanisme to change the size of this frame buffer, at the
opening of an ERF file.
Do there is something missing in the erf_open function ?


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.